Blog

Time For A Security Review

February 3, 2014 : The Team

We’ve all seen the stories over the past year about ‘NSA Spying’, ‘Privacy’, ‘Target Break-In’, etc. Our position on how this affects sites like yours has done an about-face in recent months. For years, we’ve told small site owners to not worry too much about hackers and people in dark bunkers, primarily because, despite all the hype from anti-malware companies, there wasn’t all that much risk and secondarily because the moment one tries to talk about this, eyes glaze over (or one sounds like a nut job.) Most of us just can only absorb so much detail.

But we’ve changed our minds and are now recommending that we all really be a lot more vigilant in the coming year. And we should start with a site review to test your vulnerabilities and see if anyone has been trying to gain access. We’ll be talking more about this in the days and weeks to come but for now here are the big things that have changed:

In the past few years, the cost of raw computing power has decreased hundreds of times. Until recently, your biggest protection against ‘attack’ was that only people with deep pockets could ‘hack’ large numbers of sites. So you only tended to get hit if:

you had something really ‘valuable’ (most of us don’t)

you had a serious enemy (most of us don’t) or

you were being targeted by a nation-state (most of us aren’t.)

But it’s now become cheap enough for anyone and everyone to simply vacuum up data or test thousands of sites en masse for just a few hundred dollars a month. So all manner of amateurs and organised crime are doing that: scraping date from every random site in a given area to see what they can see. Think of it as if someone could drive through entire neighbourhoods with an x-ray machine, look for obvious valuables and then come back later to break in.

The major hosting companies have proven to be unprepared for this new reality. No one cares about hitting you, but they do enoy hitting GoDaddy or BlueHost or wherever your site happens to be located. And if they gain access to a large provider, they may be able to get all your data. A dozen of our customer sites were compromised in 2013 in just this manner. And the insidious thing: the hosting company did not tell their customers. Why? Perhaps they were afraid of scandal. So at the end of the day, you must remember that although your data is at their server, ultimately they view what they do a lot like a self-storage company. They are not liable for your valuables!

The new computing power means that, if your data was compromised by, say, Target and you used that credit card to pay for your Dreamhost account, your site may be at risk. And then if there is anything else worth looking at on your site (your customer data), that gives ne’er do wells access to perhaps lots of other stuff.

From watching your sites (we’re doing it too—albeit in a beneficial way) it’s clear to use now that we’ve reached that point where everyone has something at risk on the internet. The ability to scan so much data so quickly has reduced our comfort level. So we’re going to recommend that you invest in a lot more security this year.

On a practical level, how does that translate into action you can take? Well, we should start with a review of your site. Are you update to date on the things that need to be updated? Are there features we need to add, such as security monitoring software? We should look at the traffic you’ve been getting to see if anyone is sniffing around. The results may surprise you.